On Jul 18, 2005, at 2:14 PM, Jim Fenton wrote:
As for the removal of internal white space in the nowsp
canonicalization, if whitespace is something that can't be exploited
by an attacker, why not remove it? The only exploit I'm aware of is
the somewhat ridiculous "ASCII art" attack where an existing message
is respaced to spell out something else in big letters.
Ridiculous or not, I'm getting a lot of them these days. If I were a
spammer, I would be very interested in intercepting valid signed
messages and turning them into ASCII art in a way that preservesd the
signature.
Having said that, I'm not sure we should worry about it. I don't have
a very high opinion of the technical competence of the average user,
but I think the idea that most ASCII art messages are not to be trusted
is something that we can socialize widely.
Also, Earl Hood wrote
Since DKIM makes allows digitally signing of message bodies,
there is an implicit indication that message content can be "protected"
via DKIM.
Implicit indications aren 't very helpful. But we can certainly say
that DKIM + base64 protects the content. Perhaps we should explicitly
recommend base64 for anyone who wants this kind of absolute fidelity?
I've long believed that if you don't use base64, you shouldn't expect
that kind of fidelity. -- Nathaniel